--- /dev/null
+From f8995c2df519f382525ca4bc90553ad2ec611067 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Tue, 24 Mar 2026 17:42:51 +0100
+Subject: drm/ioc32: stop speculation on the drm_compat_ioctl path
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit f8995c2df519f382525ca4bc90553ad2ec611067 upstream.
+
+The drm compat ioctl path takes a user controlled pointer, and then
+dereferences it into a table of function pointers, the signature method
+of spectre problems. Fix this up by calling array_index_nospec() on the
+index to the function pointer list.
+
+Fixes: 505b5240329b ("drm/ioctl: Fix Spectre v1 vulnerabilities")
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Maxime Ripard <mripard@kernel.org>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: David Airlie <airlied@gmail.com>
+Cc: Simona Vetter <simona@ffwll.ch>
+Cc: stable <stable@kernel.org>
+Assisted-by: gkh_clanker_2000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+Acked-by: Maxime Ripard <mripard@kernel.org>
+Reviewed-by: Simona Vetter <simona@ffwll.ch>
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://patch.msgid.link/2026032451-playing-rummage-8fa2@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_ioc32.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/drm_ioc32.c
++++ b/drivers/gpu/drm/drm_ioc32.c
+@@ -28,6 +28,7 @@
+ * IN THE SOFTWARE.
+ */
+ #include <linux/compat.h>
++#include <linux/nospec.h>
+ #include <linux/ratelimit.h>
+ #include <linux/export.h>
+
+@@ -982,6 +983,7 @@ long drm_compat_ioctl(struct file *filp,
+ if (nr >= ARRAY_SIZE(drm_compat_ioctls))
+ return drm_ioctl(filp, cmd, arg);
+
++ nr = array_index_nospec(nr, ARRAY_SIZE(drm_compat_ioctls));
+ fn = drm_compat_ioctls[nr].fn;
+ if (!fn)
+ return drm_ioctl(filp, cmd, arg);
hwmon-tps53679-fix-device-id-comparison-and-printing.patch
hwmon-occ-fix-missing-newline-in-occ_show_extended.patch
riscv-kgdb-fix-several-debug-register-assignment-bug.patch
+drm-ioc32-stop-speculation-on-the-drm_compat_ioctl-path.patch
+wifi-wilc1000-fix-u8-overflow-in-ssid-scan-buffer-size-calculation.patch
+wifi-iwlwifi-mvm-fix-potential-out-of-bounds-read-in-iwl_mvm_nd_match_info_handler.patch
--- /dev/null
+From 744fabc338e87b95c4d1ff7c95bc8c0f834c6d99 Mon Sep 17 00:00:00 2001
+From: Alexey Velichayshiy <a.velichayshiy@ispras.ru>
+Date: Sat, 7 Feb 2026 18:03:22 +0300
+Subject: wifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler()
+
+From: Alexey Velichayshiy <a.velichayshiy@ispras.ru>
+
+commit 744fabc338e87b95c4d1ff7c95bc8c0f834c6d99 upstream.
+
+The memcpy function assumes the dynamic array notif->matches is at least
+as large as the number of bytes to copy. Otherwise, results->matches may
+contain unwanted data. To guarantee safety, extend the validation in one
+of the checks to ensure sufficient packet length.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Cc: stable@vger.kernel.org
+Fixes: 5ac54afd4d97 ("wifi: iwlwifi: mvm: Add handling for scan offload match info notification")
+Signed-off-by: Alexey Velichayshiy <a.velichayshiy@ispras.ru>
+Link: https://patch.msgid.link/20260207150335.1013646-1-a.velichayshiy@ispras.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
+@@ -2678,7 +2678,7 @@ static void iwl_mvm_nd_match_info_handle
+ if (IS_ERR_OR_NULL(vif))
+ return;
+
+- if (len < sizeof(struct iwl_scan_offload_match_info)) {
++ if (len < sizeof(struct iwl_scan_offload_match_info) + matches_len) {
+ IWL_ERR(mvm, "Invalid scan match info notification\n");
+ return;
+ }
--- /dev/null
+From d049e56b1739101d1c4d81deedb269c52a8dbba0 Mon Sep 17 00:00:00 2001
+From: Yasuaki Torimaru <yasuakitorimaru@gmail.com>
+Date: Tue, 24 Mar 2026 19:06:24 +0900
+Subject: wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation
+
+From: Yasuaki Torimaru <yasuakitorimaru@gmail.com>
+
+commit d049e56b1739101d1c4d81deedb269c52a8dbba0 upstream.
+
+The variable valuesize is declared as u8 but accumulates the total
+length of all SSIDs to scan. Each SSID contributes up to 33 bytes
+(IEEE80211_MAX_SSID_LEN + 1), and with WILC_MAX_NUM_PROBED_SSID (10)
+SSIDs the total can reach 330, which wraps around to 74 when stored
+in a u8.
+
+This causes kmalloc to allocate only 75 bytes while the subsequent
+memcpy writes up to 331 bytes into the buffer, resulting in a 256-byte
+heap buffer overflow.
+
+Widen valuesize from u8 to u32 to accommodate the full range.
+
+Fixes: c5c77ba18ea6 ("staging: wilc1000: Add SDIO/SPI 802.11 driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Yasuaki Torimaru <yasuakitorimaru@gmail.com>
+Link: https://patch.msgid.link/20260324100624.983458-1-yasuakitorimaru@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/microchip/wilc1000/hif.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/microchip/wilc1000/hif.c
++++ b/drivers/net/wireless/microchip/wilc1000/hif.c
+@@ -162,7 +162,7 @@ int wilc_scan(struct wilc_vif *vif, u8 s
+ u32 index = 0;
+ u32 i, scan_timeout;
+ u8 *buffer;
+- u8 valuesize = 0;
++ u32 valuesize = 0;
+ u8 *search_ssid_vals = NULL;
+ struct host_if_drv *hif_drv = vif->hif_drv;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
